FTC Releases Privacy Report; Outlines New Framework for Privacy Protections
Davis, Wright, Tremaine LLP
By Paul Glist
The Federal Trade Commission has released its long awaited Privacy Report. The Report proposes a “normative framework” for new privacy protections that would cover the use of personal and profiling information across all industries, on and offline, and recommends a “do not track” law to limit online behavioral advertising. (Copy of the FTC’s Report is available here.) The Report is something of a hybrid. It is positioned as a preliminary staff report for comment, but voted on by the FTC Commissioners (over cautionary statements by the Republicans). It is partly a companion and complement to Bobby Rush’s privacy bill; partly a call for rulemaking comments (by January 31, 2011); partly a call for better industry self-regulation; and partly a warning of more aggressive enforcement activity to come under existing law.
Premises. The Report renews an FTC refrain that the current framework for privacy enforcement needs updating. Consumers don’t read or understand privacy notices, so cannot give informed consent. They have little or no idea that data profiles are assembled by parties with whom they have no direct relationship, and feel nervous that profiles are being used to deliver targeted advertising. Whether or not the profiles are “personally-identifiable” or de-identified, the “fear of being monitored” is harm in itself that should be addressed, and industry is not moving quickly enough. (These premises are questioned in the Republican concurring statements.)
Scope. Like the Rush bill, the Report proposes a framework for privacy that extends far beyond online advertising to all businesses that handle consumer data—online, offline, bricks and mortar—with to-be-defined exceptions for those that handle only small amounts.
Notice. Like the Rush bill, it encourages clear notices, ideally given to the consumer in a less-burdensome, standardized format at a time when it is meaningful and subject to easy comparison with other firms’ privacy notices.
Choice. Also like the Rush bill, it seeks a graduated level of consumer choice depending on use. “Commonly-accepted” uses, such as order fulfillment, service improvement, fraud detection, legal and law enforcement compliance, first-party advertising on the same platform, and possibly advertising by obvious affiliates, would be permitted without choice. Almost everything else is put in play: first-party advertising sent through different media, third-party advertising networks, data collection by an ISP, collection of “sensitive information,” and collection of any information about “sensitive users” like impulsive teens would all be subjected to a heightened level of choice. The Report punts on whether that should be opt-in or opt-out. The Report questions how far companies should be permitted to give “take it or leave it” offers, conditioning services on the use of consumer data. But at least it recommends a sliding scale, in which the level of protection afforded should be proportionate to the data and risks involved at each business.
Access. Any company that maintains data profiles—including third party data brokers—would be expected to provide some level of notice and access if the stored personal profile may be used for the denial of a benefit. Those with data profiles used for other purposes might respond to inquiries with a description of the kinds of information stored and an opportunity to opt-out. The Report reveals concern over the use of de-identified data, wondering how data can be effectively anonymized and how long it can remain anonymized as technology advances.
Privacy by Design, Security, and Data Minimization. The Report exhorts all businesses to adopt “privacy by design,” going beyond security, privacy officers and training to designed privacy into every product, service, and application with the same concern given to costs. The Report includes typical recommendations for collecting and retaining only the data needed for legitimate business uses, and asks how it should define what is “needed” and what is a “legitimate business use.”
Do Not Track. The FTC’s headline issue is recommending a “do not track” requirement. The current idea is to require modified browsers to send an HTTP header asking sites not to track for behavioral advertising. The Report does recite many of the “enormous benefits” of behavioral advertising and other technology advances such as free Internet content, online search, lower prices, global communication, and cloud computing. It also asks a few token questions about the impact that “opt-out” from behavioral advertising might have on Internet commerce and on the consumer experience online. But it asks far more about the mechanics of implementing “do not track.” The Report does not grapple with how much protection “do not track” would provide if it cannot control overseas servers, or does not reach email, web applications, mobile, or “offline” data.
Technological neutrality. As with the Rush and Boucher bills, the Report does not achieve technological neutrality. It carries forward a reflexive hostility to collecting data at the cable modem, while positioning advertiser supported companies at the edge to offer behavioral advertising with adequate notice and informed consent.
Next Steps. Because this Report is serving multiple purposes, it will be part of the privacy debate in many forums. It will be a feature at the December 2 hearing before Bobby Rush’s House Consumer Affairs Subcommittee; over the coming weeks before the January 31 deadline for comment on the Report and the FTC’s scores of specific questions; and before other agencies (such as the FCC or Commerce) which are also pursuing the privacy agenda.